Meet CMMC seller James Harper, who allowed himself to get suckered into buying one of those weirdo Cyber AB badges and now needs to recoup his ill-conceived investment. Harper runs Texas-based cybersecurity firm Quatronics and labels himself a “visionary leader,” a label that never bodes well for those who adopt it.

To go along with his curious decision to buy that “CCP” badge (yes, The Cyber AB named one of their badges after the Chinese Communist Party), Harper thought it would be a good idea to scrape the data from the Cyber AB’s website, and put it all into a PDF file. Specifically, he made the PDF to list all the CMMC auditing bodies, called “C3PAOs,” in one place, along with links to their websites. Then, on LinkedIn, he invited people to download his hyperlink-filled PDF, but only after you give him your email and phone number.

There are a few problems with this. Harper admitted he got the data from The CyberAB’s CMMC Marketplace, in apparent violation of that site’s copyright and terms of site usage. The site clearly says you are not allowed to do what Harper apparently did, but Harper just dug in after being confronted, saying it’s all “public information.” Companies bigger than Quatronics — you know, like Google and OpenAI — are currently facing lawsuits against their assertion of that same fact. But I guess Harper cracked the case on the whole internet intellectual property thing.

Next, Harper defended his actions by saying his information was more complete than that of the official Cyber AB Marketplace:

I have also added phone numbers for some of the C3PAOs; the Marketplace does not have phone numbers for all of them.

It never occurred to Harper that maybe some of these C3PAOs did not want their phone numbers published in the first place, which is their right. Some companies want to avoid having their numbers published so they don’t get victimized by spam calls. Also consider that many of these C3PAOs are one-person shops and may be operating out of their private homes. Harper just published their information anyway, because he’s a dick.

Then, Joshua Harper, who I assume is his son, chimed in, too, because this kind of thing is a family tradition? He raised the “other people do scummy things, so we can, too” defense:

… all Knowbe4 (a well respected cybersecurity training company ) PDFs and Cybersecurity tips require submitting a contact form. How is this different?

Again, though: you can only get the PDF if you fill out a form surrendering your email address and phone number to Quatronics.

Wait, what?

Yeah, let’s recap. A supposed cybersecurity expert is offering to send you a PDF filled with clickable links, but only if you first give him your personal contact information.

It sounds like the exact scenario a company would implement to train employees how to defend against phishing scams, but it’s not. Harper and his gang really believe this is a good idea, and he tripled down on it.

Josh chimed in again, because he can’t stop putting his foot in his mouth, and made things much, much worse. In defense of their demand to provide contact information, Josh said the quiet part out loud, and admitted Quatronics totally thinks you’re their “product.” (Emphasis mine):

Your concern about “cybersecurity” is invalid as there is no reason one could not use a temporary or disposable email address used for “spam” purposes. In fact, that’s what I encourage people to do.

If you do not wish to provide your contact information in order to receive a benefit, then that benefit is either fake, open source, or gathering other data that is potentially worse.

Think about this perspective…..Either you pay for the product, or *you* are the product.

So, rather than simply: (a) NOT offer a potentially phish-laden PDF with links at all, or (b) offer it as a direct download without any data-harvesting requirement at all, the Harpers want you to go through hurdle of making a burner email address first, and then download their risky PDF.

I dunno, I’m no cybersecurity expert, but I have offered free downloads from my website for nearly a quarter of a century now and never once required anyone to submit their email address first. Somehow I manage to earn a living.

And these guys are the CMMC experts.

Actually, that last part makes sense. They do this kind of thing because they are CMMC experts, as the CMMC scheme is catnip for this type.